BNB Chain, a blockchain linked to the Binance cryptocurrency exchange, discovered an exploit on a cross-chain bridge that led to around $100 million in cryptocurrency being stolen. “There was an exploit affecting the native cross-chain bridge between BNB Beacon Chain (BEP2) and BNB Smart Chain (BEP20 or BSC), known as ‘BSC Token Hub. The exploit was through a sophisticated forging of the low-level proof into one common library,” stated BNB Chain. The exploit on the cross-chain bridge “resulted in extra BNB,” according to Changpeng Zhao, CEO of Binance, that resulted in a temporary suspension of the Binance Smart Chain (BSC). Binance stated earlier that BNB, which stands for “Build and Build” (formerly known as Binance Coin), is the blockchain gas currency that “fuels” transactions on BNB Chain. Since the BSC Token Hub bridge’s vulnerability allowed the unidentified threat actor attacker to mint new BNB tokens illegally, no user funds are believed to have been affected.
According to SlowMist, a blockchain security company, the attack involved the withdrawal of two million BNB in two transactions, but the chain’s suspension stopped the theft of approximately $430 million in cryptocurrency. This incident follows attacks on the Axie Infinity, Harmony Horizon, and Nomad bridges as the most significant instances to target cross-chain bridges this year, which enable the movement of assets between blockchains. In August, Chainalysis, a blockchain analytics company, reported that 13 cross-chain bridge attacks had resulted in the theft of $2 billion in cryptocurrencies, or 69% of the total funds stolen in 2022. Additionally, the development comes with the disclosure by security company Bitdefender of information about a cryptojacking campaign that used Microsoft OneDrive’s known DLL side-loading vulnerabilities to create persistence and distribute cryptocurrency mining software. In a related development, Trend Micro reported that a malicious actor Water Labbu attacked 45 cryptocurrency-based scam websites run by other criminals to steal victims’ funds and transfer them to a wallet under their control.